RSS

How-To Geek

“Change your passwords regularly” is a common piece of password advice, but it isn’t necessarily good advice. You shouldn’t bother changing most passwords regularly — it encourages you to use weaker passwords and wastes your time.

Yes, there are some situations where you’ll want to regularly change your passwords. But those will probably be the exception rather than the rule. Telling typical computer users they need to regularly change their passwords is a mistake.

The Theory of Regular Password Changes

Regular password changes are theoretically a good idea because they ensure someone can’t acquire your password and use it to snoop on you over an extended period of time.

For example, if someone acquired your email password, they could log into your email account regularly and monitor your communications. If someone acquired your online banking password, they could snoop on your transactions or come back in several months and attempt to transfer money to their own accounts. If someone acquired your Facebook password, they could log in as you and monitor your private communications.

Theoretically, changing your passwords regularly — perhaps every few months — will help prevent this from happening. Even if someone did acquire your password, they’d only have a few months to use their access for nefarious purposes.

The Downsides

Password changes shouldn’t be considered in a vacuum. If human beings had infinite time and perfect memory, regular password changes would be a fine idea. In reality, changing passwords imposes a burden on people.

Changing your password regularly makes it harder to remember good passwords. Rather than create a strong password and commit it to memory, you must attempt to remember a new password every few months. Users who are forced to regularly change their password by a computer system may end up appending a number — so they may use password1, password2, and so on.

It’s hard enough to change your password regularly for a single account and remember your new password each time. But we all have many passwords — imagine having to change your password regularly and constantly remember unique, strong passwords for a large number of services.

It’s already basically impossible to choose strong, unique passwords for every website and remember them — that’s why we recommend using a password manager like LastPass or KeePass. If you change your password every few months, you’ll likely end up using weaker passwords and reusing them across multiple websites. It’s much more important to use strong, unique passwords everywhere than to change your password regularly.

Why Changing Passwords Won’t Necessarily Help

Regularly changing your password won’t help as much as you might think. If an attacker gains access to your accounts, they’ll most likely use their access to cause damage right away. If they gain access to your online banking account, they’ll log in and attempt to transfer money out rather than sit and wait. If they gain access to an online shopping account, they’ll log in and attempt to order products with your saved credit card information. If they gain access to your email, they’ll likely use it for spam and phishing, or attempt to reset passwords on other sites with it. if they gain access to your Facebook account, they’ll probably attempt to spam or defraud your friends immediately.

Typical attackers won’t hold onto your passwords for an extended period of time and snoop on you. That’s not profitable — and attackers are just after profit. You’ll notice if someone gains access to your accounts.

Changing your password regularly is also essential if you use the same password everywhere, because it’s likely your password is constantly being leaked when one of the services you use is compromised. Rather than change that single password regularly, you should deal with the real problem here and use unique passwords everywhere.

When You Do Want to Change Passwords

Changing passwords can help if someone who isn’t a traditional attacker has access to your account. For example, let’s say you shared your Netflix login credentials with an ex — you’ll want to change your password so they can’t use your account forever. Or, let’s say someone close to you gained access to your email or Facebook password and used your password to spy on you. When you change your passwords, you’re primarily preventing this sort of account sharing and snooping, not preventing someone on the other side of the world from gaining access.

Regular password changes can also be valuable for some work systems, but they should be used with thought. IT administrators shouldn’t force users to change their passwords constantly unless there’s a good reason — users will just start using weak passwords, writing down passwords, or even switching back and forth between two favorite passwords.

Password changes in response to specific events are a good thing, of course. It’s a good idea to change your passwords on websites that were vulnerable to Heartbleed but have now patched it. Changing your password after a website has its passwords database stolen is also a good idea.

If you are reusing passwords for different websites, changing your password on all those sites is a good idea if one of those sites is compromised. But this is the worst thing you can do — the real solution here is using unique passwords, not constantly changing your shared password to a new one on all the services you use.

The problem with advising people to change their password regularly is that it’s such distracting advice. Using strong, unique passwords everywhere is already almost impossible advice to do if you’re not using a password manager to remember them for you. Two-factor authentication is also helpful as it can prevent your accounts from being accessed even if someone steals your passwords. Rather than tell people to regularly change their passwords, we should be passing on useful advice like “use unique passwords everywhere” — something most people don’t presently do.

We’re not the only ones advising against regular, indiscriminate password changes. Security expert Bruce Schneier has written about why changing passwords regularly isn’t good advice, while Microsoft Research has also concluded that changing passwords regularly is a waste of time. Yes, there are some situations where you may want to do this — but passing on advice like “change your passwords every three months” to typical computer users is doing more harm than good.

I don't worry about remembering my passwords. I use Norton's Identity Safe. It's similar to LastPass. Since I don't have to memorize passwords, I can create strong ones. Using strong passwords is just as important as changing them periodically for critical sites. I would encourage others to use an app like Last Pass, Identity Safe, or KeePass. It makes life easier.

I would encourage others to use an app like Last Pass, Identity Safe, or KeePass. It makes life easier.

Absolutely. Both KeePass and LastPass have some great features for security, too, including random password generation.

KeePass is great for people who use one computer regularly, or for people who can't or don't trust cloud services. I use it for maintaining a list of credential information for logging in to my various clients' systems; without it, I would have to rely on printing passwords on paper, which is unacceptable.

LastPass, being a browser plugin and a mobile app, is the most convenient way to save and autofill your passwords. It stores data in the cloud, so you can access it from any machine (I use 5 computers on a regular basis.)

If you log in to more than 2 or 3 web sites regularly, use a password manager. I can't recommend that strongly enough.

I've switched from LastPass over to 1Password, which is aimed more at Mac users. It's not cheap, but it has a great interface... and my password files are not synced over a third-party cloud service. (there are many options for syncing).

I just started using LastPass, and it's changed my life. OK, not really. But it does make me feel safer having crazy long passwords that no one can guess. Plus, it makes it easy to have a different password on every site. Recommended.

While there is no denying that strong passwords are a necessity in some circumstances, we seen to have returned to "buy a computer so I can balance my checkbook" mentality. First of all nobody wants 99.9 percent of the crap,that on most personal computers.Second, after you log into dozens of accounts with your Google or Facebook i.d., you've give away your privacy along with that of your contacts. Third but bur definitely not last is that with "once use" credit card numbers, Paypal, GooglePay, ect. available, why is it necessary to store an/or transmit so much private information? We have become victims of fear-mongers with alternative motives. There were no cats juggled last year, so far this year there has been 1 case. That projects into cases into 3 cases for 2014. That makes cat juggling the fastest growing crime in America!

No matter how diligently I protect my Social Security Number , it doesn't erase the fact that it was used as my drivers license for 30 years! Its still the same number and I can't change it! To be honest, the people who you should fear the most, already have access to everything that goes on line and probably you camera and mike too!

We have become victims of fear-mongers with alternative motives. There were no cats juggled last year, so far this year there has been 1 case. That projects into cases into 3 cases for 2014. That makes cat juggling the fastest growing crime in America!

What you're saying seems to boil down to "Nobody wants your stuff, so why bother locking it up," right?

And it's entirely incorrect:

People do want what's on your computer's hard drive. People often store all kinds of personal and useful information there.

Your email account may be the most valuable on-line resource you have - especially for scammers and spammers. If they manage to hijack your account, they will use your address list to send spam or malware to everyone you know. Since the messages appear to be coming from you, a trusted source, your friends you will open the messages and gladly click on the malware attachment, taking your word that it's a goofy LOLcat image.

Your Facebook and Twitter accounts are just as valuable; My Twitter account (which I use for talking with maybe 5 people) was recently hijacked, and I discovered that it was filled with messages in a foreign language, and the hijacker had followed hundreds of Twitter accounts. While Twitter isn't a thing I do regularly, it is for a lot of people, and it can take a long time to undo the damage that a Twitjacker can cause. (The first thing that happens when your Twitter account starts sending out spam, malware, or political propaganda is that people unfollow you.)

Your credentials for your bank, PayPal and other financial sites are especially critical to keep safe. If someone had unfettered access to my PayPal account, they could wreak financial havoc in my life.

Now do you need to take heavy security measures for every site you visit? It's not like someone is going to hijack my Pizza Hut account and send me a pizza I didn't order; but they may well jack my Amazon account and order $1000 of merch before I can stop them.

So before belittling people for taking security seriously, maybe you should seriously consider the implications of our connected world: it's far too easy to mess with someone's life if you know their passwords.

i can't believe that nobody mentioned the one reason you do want to change your passwords frequently. the time it takes to crack it. if it takes three months to crack it, and you change it every one or two, then you just stopped an attack. and so what if you do append, or pad, your password? by making 10 - 12 character passwords with substitution and even padding at the front or the end with characters, then you have a strong one. example: P@ssw0rd$$$. and there is another good idea, keeping five or six good passwords and use them in combination. and i always used to advocat to write the password down if you can't remember it, but keep it in your purse or wallet.

the time it takes to crack it. if it takes three months to crack it, and you change it every one or two, then you just stopped an attack

99% of weak passwords are cracked within mere seconds. Strong passwords should take A LONG time this is what actually makes them strong. Changing passwords periodically will add extra security but is not really necessary if proper password management is done.

Tim said:

by making 10 - 12 character passwords with substitution and even padding at the front or the end with characters, then you have a strong one. example: P@ssw0rd$$$

This is not a good idea...character substitution is not actually safe from computers especially if the brute force software used to break it is any good. The example you gave would be broken in about 15 seconds.

Random Generated Passwords is the best option.

Tim said:

there is another good idea, keeping five or six good passwords and use them in combination

This is not a good thing to tell people either because NO ONE should use any passwords in multiple places. One Password Per Site and that site should be the ONLY site with that password.

Tim said:

i always used to advocat to write the password down if you can't remember it, but keep it in your purse or wallet.

This might be ok for people to put their master password in their wallet...though if they lose their wallet or it gets stolen they will have a huge mess on their hands.

The best thing is to make a really strong Master password and then memorize that and only that....if you only need to remember one password then that is fairly easy for anyone to do because it is just one password to access your password manager.

Proper Password Management is actually pretty simple and easy for anyone to do...

Get a Password Manager: LastPass, KeePass, 1Password, etc.
Create a VERY strong Master Password, this is the ONLY password you will need to remember so make it strong and make it something you can remember.
Use the Password Generator Tools in your password manager.
Make your passwords at least 10 characters but more the better within reason, you may have to type them at some point.
Use a combination of lowercase letters, uppercase Letters, Symbols (#$%^), Numbers and use your generator to do this.
Make a different password for EVERY website.
If you have multiple accounts on one website, make a new password for EVERY account. (you should NEVER have duplicate passwords)

The password managers will keep track of everything for you, autofill your passwords for you and you don't have to worry about forgetting anything...there is only one password to remember and everything else is done automatically.